From:             [EMAIL PROTECTED]
Operating system: Linux
PHP version:      4.0.4pl1
PHP Bug Type:     Feature/Change Request
Bug description:  Selectable option for PHP_AUTH_PW

I am currently running Apache-1.3.17 with php-4.0.4pl1 . It appears that when I am 
using Apache's own mod_auth with .htaccess and .htpasswd authentication, PHP will 
store the password from Apache into the PHP_AUTH_PW variables.

Thou it is useful somethings, it also creates a security problem in the following 
situation.

access to http://www.abc.com is limited to users who each have their own unique 
username/password.

http://www.abc.com/apps1 is developed and maintained by groupA

http://www.abc.com/apps2 is developed and maintained by groupB

Any malicious developer in groupA or B will be able to silently steal the user's 
password when they access either apps1 or apps2 without the user knowing by just 
saving the values found in PHP_AUTH_USER and PHP_AUTH_PW .

The malicious developer can then use the saved password to assume the identity of the 
original user and access the website to perform functions without the original user 
knowing.

Hence I am wondering if it will be possible to have a configuration directive that can 
select whether PHP_AUTH_PW will store the external password when external 
authentication modules like mod_auth are used.


-- 
Edit Bug report at: http://bugs.php.net/?id=9022&edit=1



-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to